- From: Maciej Stachowiak <mjs@apple.com>
- Date: Fri, 16 May 2008 01:53:15 -0700
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: "Web API WG (public)" <public-webapi@w3.org>
On May 16, 2008, at 12:04 AM, Julian Reschke wrote: > Maciej Stachowiak wrote: >> In practice it is much more important for same-origin to be >> implemented >> consistently between XHR and HTML5 (and other Web standards) than >> for it >> to be precisely consistent cross-browser, as inconsistencies in the >> same-origin policy could lead to security holes. Thus, taking a >> snapshot >> of what HTML5 says and putting it in XHR1 would be a dead letter, >> because if HTML5 changes and browsers change to match it, they will >> not >> leave their XHR implementation using an older version of the security >> policy. > > Interesting enough, this seems to be exactly the opposite of what Ian > just said :-): HTML5 and browsers all differ slightly from each other on these issues. Though HTML5 does not aim to invent anything in the area of cross-domain security, I think there will be iterative convergence among the implementations and the spec. The point is, if XHR1 ends up requiring something different than HTML5 does, at least one of those will be ignored by implementors. Or to look at it another way, either HTML5 will not change on anything it requires on this, in which case citing its definitions won't actually change the meaning of XHR1 in the future; or it will change, in which case having an obsolete copy of the definitions in XHR1 will be actively harmful. So we should either cite by reference or be prepared to promptly issue errata in the future. Regards, Maciej > > > Ian> The point is that Apple and Microsoft are both going to > implement the > Ian> thing as required by the Web in 2000, not as defined in HTML5. > HTML5 is > Ian> describing existing practice on these matters, not defining new > material. > > BR, Julian > > > >
Received on Friday, 16 May 2008 08:54:02 UTC